RANGER-3983: Support getColumnMasks and getRowFilters in Trino SPI 376+

Signed-off-by: Madhan Neethiraj <[email protected]>
lchqlchq · Dec 2, 2022 · 9713760 · 9713760
1 parent fcf46f5
commit 9713760
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 0 deletions.
diff --git a/...main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java b/...main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java
@@ -42,6 +42,8 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import com.google.common.collect.ImmutableList;
+
 import java.io.IOException;
 import java.net.URL;
 import java.security.Principal;
@@ -174,6 +176,11 @@ public Optional<ViewExpression> getRowFilter(SystemSecurityContext context, Cata
     return Optional.ofNullable(viewExpression);
   }
 
+  @Override
+  public List<ViewExpression> getRowFilters(SystemSecurityContext context, CatalogSchemaTableName tableName) {
+    return getRowFilter(context, tableName).map(ImmutableList::of).orElseGet(ImmutableList::of);
+  }
+
   @Override
   public Optional<ViewExpression> getColumnMask(SystemSecurityContext context, CatalogSchemaTableName tableName, String columnName, Type type) {
     RangerTrinoAccessRequest request = createAccessRequest(
@@ -223,6 +230,11 @@ public Optional<ViewExpression> getColumnMask(SystemSecurityContext context, Cat
     return Optional.ofNullable(viewExpression);
   }
 
+  @Override
+  public List<ViewExpression> getColumnMasks(SystemSecurityContext context, CatalogSchemaTableName tableName, String columnName, Type type) {
+    return getColumnMask(context, tableName, columnName, type).map(ImmutableList::of).orElseGet(ImmutableList::of);
+  }
+
   @Override
   public Set<String> filterCatalogs(SystemSecurityContext context, Set<String> catalogs) {
     LOG.debug("==> RangerSystemAccessControl.filterCatalogs("+ catalogs + ")");

diff --git a/.../java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlTest.java b/.../java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlTest.java
@@ -38,6 +38,7 @@
 
 import javax.security.auth.kerberos.KerberosPrincipal;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
@@ -175,14 +176,21 @@ public void testMisc()
     final VarcharType varcharType = VarcharType.createVarcharType(20);
 
     Optional<ViewExpression> ret = accessControlManager.getColumnMask(context(alice), aliceTable, "cast_me", varcharType);
+    List<ViewExpression> retArray = accessControlManager.getColumnMasks(context(alice), aliceTable, "cast_me", varcharType);
     assertNotNull(ret.get());
     assertEquals(ret.get().getExpression(), "cast cast_me as varchar(20)");
+    assertEquals(1, retArray.size());
+    assertEquals("cast cast_me as varchar(20)", retArray.get(0).getExpression());
 
     ret = accessControlManager.getColumnMask(context(alice), aliceTable,"do-not-cast-me", varcharType);
+    retArray = accessControlManager.getColumnMasks(context(alice), aliceTable,"do-not-cast-me", varcharType);
     assertFalse(ret.isPresent());
+    assertTrue(retArray.isEmpty());
 
     ret = accessControlManager.getRowFilter(context(alice), aliceTable);
+    retArray = accessControlManager.getRowFilters(context(alice), aliceTable);
     assertFalse(ret.isPresent());
+    assertTrue(retArray.isEmpty());
 
     accessControlManager.checkCanExecuteFunction(context(alice), functionName);
     accessControlManager.checkCanGrantExecuteFunctionPrivilege(context(alice), functionName, new TrinoPrincipal(USER, "grantee"), true);

diff --git a/...main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java b/...main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java
@@ -28,6 +28,7 @@
 import javax.inject.Inject;
 import java.security.Principal;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
@@ -528,6 +529,18 @@ public Optional<ViewExpression> getRowFilter(SystemSecurityContext context, Cata
     return viewExpression;
   }
 
+  @Override
+  public List<ViewExpression> getRowFilters(SystemSecurityContext context, CatalogSchemaTableName tableName) {
+    List<ViewExpression> viewExpressionList;
+    try {
+      activatePluginClassLoader();
+      viewExpressionList = systemAccessControlImpl.getRowFilters(context, tableName);
+    } finally {
+      deactivatePluginClassLoader();
+    }
+    return viewExpressionList;
+  }
+
   @Override
   public Optional<ViewExpression> getColumnMask(SystemSecurityContext context, CatalogSchemaTableName tableName, String columnName, Type type) {
     Optional<ViewExpression> viewExpression;
@@ -540,6 +553,18 @@ public Optional<ViewExpression> getColumnMask(SystemSecurityContext context, Cat
     return viewExpression;
   }
 
+  @Override
+  public List<ViewExpression> getColumnMasks(SystemSecurityContext context, CatalogSchemaTableName tableName, String columnName, Type type) {
+    List<ViewExpression> viewExpressionList;
+    try {
+      activatePluginClassLoader();
+      viewExpressionList = systemAccessControlImpl.getColumnMasks(context, tableName, columnName, type);
+    } finally {
+      deactivatePluginClassLoader();
+    }
+    return viewExpressionList;
+  }
+
   @Override
   public void checkCanSetUser(Optional<Principal> principal, String userName) {
     try {